]]>Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy. Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.” In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.

SUBPART 5204.73

Equitable Price Reductions/Suspension and Reduction of Progress Payments. The Navy added Subpart 5204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to the NMCARS. This Subpart provides direction to COs in three areas. First, it provides that Annex 16 must be included in the SOWs of relevant solicitations, contracts and task or delivery orders. Second, the Subpart directs COs to consider the DFARS clause, Annex 16 and the Geurts Memo as material requirements.[1] Finally, if COs accept supplies or services with “critical or major non-conformances (e.g., failure to comply with material requirement)” they are directed to impose an equitable price reduction. The Subpart identifies a “reasonable amount” for this reduction as 5% of the total contract value. That amount can be increased if there is an increased risk from the non-conformance. If the CO decides to require correction of nonconforming services or supplies rather than acceptance, the CO is directed to withhold/reduce or suspend progress payments if correction is not made in a timely manner.

This revision to the NMCARS represents a powerful enforcement mechanism for the Navy. Until now, DOD has stated that the failure to comply with the DFARS clause requirements would be treated as a contract performance issue. Although that basic concept continues, the Subpart explicitly defines the DFARS clause, Annex 16 and the Geurts Memo as “material requirements” of the contract. A failure to comply with a material requirement would make contractors potentially liable for significant equitable reductions or for a suspension or reduction of progress payments. Read literally, a contractor that reports a cyber incident 76 hours (and not 72 hours) after discovery may be violating a material requirement of the contract. Contractors may derive some comfort from the NMCARS’ reliance on FAR 32.503-6, “Suspension or reduction of payments,” which at least requires COs to “act fairly and reasonably” and “base decisions on substantial evidence.” However, the nonconforming supplies or services provision in FAR 46.407 does not impose a similar fairness requirement on COs.

ANNEX 16

The Navy’s Annex 16 covers five areas: (1) System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) Reviews; (2) Compliance with NIST Special Publication (SP) 800-171; (3) Cyber Incident Response; (4) Naval Criminal Investigative Service (NCIS) Outreach; and (5) NCIS/Industry Monitoring. The requirements of Annex 16 are similar to various requirements that have been included in various Navy solicitations over the past year. As described below, although the Annex provides more detail than the Geurts Memo, significant questions remain about how each of these requirements will be interpreted by the Navy going forward.

SSP/POA&M Review. Although the Geurts Memo directed contractors to submit their SSPs as a contract deliverable for approval, Annex 16 clarifies that within 30 days of award, contractors must make their SSP and POA&M available for review by the Government at the contractor’s facility. If the Government determines that an SSP “does not adequately implement the requirements” of the DFARS clause, the Government will give the contractor an opportunity to correct the SSP and submit an updated POA&M. The language assumes that such corrections will occur within 30 days, but the CO can grant a longer period. Once approved, the contractor is required to notify the Government if it fails to meet any milestones in the updated POA&M. The Government is entitled to conduct a follow on review of an SSP at the contractor’s facilities until all deficiencies are corrected. Finally, the Government may “at its sole discretion” conduct a subsequent review to verify the information in an SSP, but the Government must conduct such reviews at least every three years from the date of award and can do so on 30 days’ notice.

There is no standard for how the Government determines that the SSP “adequately implements” the requirements of the DFARS clause,[2] nor is there any indication of how a contractor could appeal an adverse finding absent a formal contract claim. It also remains unclear who within the Navy will be conducting these assessments. Further, although the notification for failure to meet a milestone for a corrective action appears limited to the revised POA&M, the language could be interpreted more broadly to include any milestone in a revised POA&M. Given that a failure to comply with the DFARS clause is defined as a failure to comply with a material requirement, the Navy could treat the failure to achieve a milestone in a POA&M as grounds for an equitable price reduction or suspension or reduction in progress payments.

Compliance with NIST SP 800-171. The SOW language in the Navy’s Annex 16 requires that contractors implement NIST SP 800-171 (Rev. 1) consistent with the requirements in the DFARS clause.[3] Unlike the Geurts Memo, which prohibited the approval of an SSP unless certain specified controls were met, Annex 16 tracks more closely to the DFARS clause by acknowledging that certain controls may not yet be implemented and requires contractor to “identify in any SSP and POA&M their plans to implement” the specified controls. Nonetheless, the Navy’s ability to review an SSP for adequacy 30 days after award could result in a POA&M that requires a contractor to implement these controls on an accelerated basis.

Notwithstanding the general requirements to “fully implement” the security controls of NIST SP 800-171 (Rev. 1), Annex 16 also requires the contractor to identify in each SSP and POA&M, at a minimum, its plans to implement the following controls, which are tied to derived security requirements in NIST SP 800-171 (Rev. 1):

3.5.3, Multifactor Authentication. Require multifactor authentication (MFA) for all users logging into a network system or, if it is not possible to implement MFA on “legacy systems and systems that cannot support this requirement,” implement “a combination of physical and logical protections” acceptable to the Government. What measures will be considered “acceptable” and thus, the measures contractors will be required to implement on such systems, are unclear.

3.1.5 Least Privilege and Associated Controls. Contractors are required to identify practices implemented “to restrict the unnecessary sharing with, or flow of, covered defense information to its subcontractors, suppliers, or vendors based on need-to-know principles.” The methods that should be used for such tracking are not specified. Nevertheless, this requirement imposes on contractors a requirement to identify preemptively and track continuously the flow of covered defense information it receives or creates during contract performance.

3.1.12, Monitor and Control Remote Access Sessions. Remote access sessions must be monitored and controlled, and such monitoring must include “mechanisms to audit the sessions and methods.” As a result, if contractors’ current monitoring of remote access systems does not allow for this type of auditing, contractors will likely need to enhance their capabilities.

3.13.11 Approved Cryptographic Methods. Contractors must implement approved cryptographic methods, such as Federal Information Processing Standard (FIPS) 104-2 validated cryptography or National Security Agency- or NIST-approved algorithms. In addition, contractors must participate in the NIST Cryptographic Algorithm Validation Program (CAVP), which provides “validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components.” As a result, while the use of “FIPS-validated” algorithms may not be strictly required, it appears that contractors will be limited to using algorithms that are: (1) FIPS-validated or NSA- or NIST-approved; and (2) validated through the CAVP.

3.13.16 Confidentiality of CUI at Rest. The confidentiality of CUI at rest must be protected and, if the contractor includes this control in a POA&M for implementation, the implementation “will be evaluated by the Navy for risk acceptance.” The standards the Navy will use to evaluate such risk assessments are not specified and thus, the requirements to which contractors will ultimately be subject are unclear.

3.13.19 Encrypt CUI on Mobile Devices.CUI on mobile devices must be encrypted and, if the contractor includes this control in a POA&M for implementation, the POA&M will be “evaluated by the Government Program Manager for risk to the program.” The standards the Government Program Manager will use to assess such risk are not specified and thus, the requirements to which contractors will ultimately be subject are unclear. Significantly, however, contractors who process CUI on mobile devices (i.e., through email) will need to ensure all email containing CUI is encrypted.

In addition, although not mapped to a particular control in NIST SP 800-171 (Rev. 1), Annex 16 also requires contractors to “audit user privileges on at least an annual basis.” How this auditing must be conducted is not specified.

These requirements are generally consistent with the principles of the Geurts Memo but also recognize additional areas where exceptions to the requirements might be appropriate or necessary. For example, the Geurts Memo requires contractors to “fully implement MFA” and does not include allowances for legacy systems or other systems that do not support MFA; the Geurts Memo also requires full implementation of “FIPS-validated encryption” and does not address the use of NSA- or NIST-approved encryption.

Even though the Annex 16 requirements contemplate additional areas where exceptions to the requirements may be appropriate or necessary, as described above, Annex 16 provides the Navy with significant discretion in determining whether a contractor’s implementation of certain controls is acceptable, but does not explain the standards and methods the Navy will use in making this determination. As a result, how contractors will be expected to comply with the Annex 16 requirements is not clear. Further, as discussed above, the Government’s remedies for contractor non-compliance are significant and, in theory, could be levied against contractors who do not meet the Government’s expectations.

Cyber Incident Response. Consistent with the Geurts Memo, Annex 16 provides that—in addition to reporting cyber incidents to DOD within 72 hours of discovery—contractors must deliver to the Department of Defense Cyber Crimes Center (DC3) “all data used in performance of the contract that the Contractor determines is impacted by the incident and begin assessment of potential warfighter/program impact” within fifteen days of discovering a cyber incident. Following the initial deliverable, contractors must notify the Government within ten days of identifying any new data not previously delivered. There is a provision for requesting a longer period for delivery that the CO can approve after coordinating with DC3. This language imposes more definite deadlines for providing DC3 with data and subsequent updates than currently exists in the DFARS clause. It is unclear how these dates will be reconciled with the 90-day preservation requirement in the DFARS clause.

NCIS Outreach. Contractors are required to engage with NCIS industry outreach efforts and “consider recommendations for hardening of covered contractor information systems affecting” Navy programs and technologies. There is no guidance on what would satisfy the outreach efforts requirement, including to what extent and how often contractors must participate.

NCIS/Industry Monitoring. Any time the Government has an “indication of a vulnerability or a potential vulnerability,” Annex 16 requires contractors “to cooperate with NCIS,” including cooperation related to “threat indicators” and “pre-determined incident information derived from the Contractor’s infrastructure systems.” Contractors may also be required to continuously provide “all Contractor, subcontractor or vendor logs that show network activity, including any additional logs the contractor, subcontractor or vendor agrees to initiate as a result of the cyber incident or notice of actual or potential vulnerability.” This requirement could be problematic for many prime contractors, who may not have the right to access their subcontractors’ and vendors’ logs or the right to provide these logs to the Navy among other reasons; to comply with this requirement, prime contractors will need to flow down this requirement to all subcontractors and vendors. Even if this requirement is flowed down effectively, how and when such logs will be provided to the Navy—particularly if the contractor is ultimately required to provide such logs continuously—is likely to be logistically complicated. All logs that “show network activity” could represent a tremendous volume of data and, to the extent the network of the relevant prime contractor, subcontractors, and vendors is not segregated to include only Navy data, these logs could include network activity wholly unrelated to performance under a Navy contract. Additionally, the Navy does not specify the types of logging that it may require from contractors, so it is unclear whether contractors can comply with this obligation based on their current systems and capabilities.

If the collection of all logs “does not adequately protect its interests, contractors are required to work with NCIS to implement additional measures,” including the “installation of an appropriate network device that is owned and maintained by NCIS, on the contractor’s information systems or information technology assets.” The installation of the devices will be covered by a separate agreement between NCIS and the contractor. In the alternative, the contractor may install network sensor capabilities or a network monitoring service, “either of which must be reviewed for acceptability by NCIS,” and which also would be subject to a separate agreement between NCIS and the contractor.

The placement of NCIS-owned and -controlled sensors on contractor networks raises myriad legal and practical questions for both the Government and contractors. Although Annex 16 notes that “the collection or provision of data and any activities associated with this statement of work shall be in accordance with federal, state, and non-US law,” the Annex offers no guidance on the type of data that would be collected (e.g., pre-defined indicators of compromise, other telemetry data, content from packet capture, etc.) or where in contractors’ environments the sensors would be placed—such as covering email systems, communications with cloud providers, or external communications at the edge—and does not explain under what grounds the installation of NCIS-owned and -controlled sensors would be authorized under U.S. state or federal or international law. That type of guidance and analysis are key and would assist contractors in analyzing their compliance obligations and any potential legal risks to the contractor from the installation and monitoring of NCIS-owned and -controlled sensors.

Finally, although the Annex provides an alternative that permits contractors to install network sensor capabilities or a network monitoring service, the language requires approval by NCIS and provides no guidance as to what will be deemed acceptable.

IMPACT ON CONTRACTORS

As it continues to prioritize the cybersecurity of its supply chain, the Navy has followed through on the Geurts Memo by adding penalties for relevant contractors that fail to meet the requirements of the DFARS clause and Annex 16. This includes the requirement to cooperate with NCIS and potentially to install sensors on contractor systems. The new NMCARS Subpart 5204.73 and Annex 16, which should start being included in solicitations immediately, leave important questions unanswered. These include questions about which programs will require the new SOW language, what controls the Navy will require to be fully implemented to achieve “adequate security” and how aggressively the Navy will pursue the remedies now tied to non-compliance with these cybersecurity obligations. Although Annex 16 does scale back the NCIS sensor obligation from the Geurts Memo somewhat—requiring contractors to work with NCIS through a separate agreement to implement additional measures as opposed to providing automatic authorization to the NCIS as part of the prime contract—the discretion of whether additional measures are required, including the installation of sensors, still rests with the Government.

[1] In addition to the DFARS clause and Annex 16, NMCARS 5204.7303-1(b) lists the “DIB memo” as a material requirement. We assume that this is a reference to the Geurts Memo.

[2] “Adequate security” under the DFARS clause includes at a minimum implementation of NIST SP 800-171 with an SSP and POA&M.

[3] The reference to NIST SP 800-171 (Rev. 1) may be revised, as NIST has already released a draft of 800-171 (Rev. 2). To the extent the Navy does not update this reference, contractors should be aware that the Navy’s SOW language may ultimately be inconsistent with the DFARS clause requirements.

]]>DoD Releases Public Draft of Cybersecurity Maturity Model Certification and Seeks Industry Inputhttps://www.insidegovernmentcontracts.com/2019/09/dod-releases-public-draft-of-cybersecurity-maturity-model-certification-and-seeks-industry-input/
Fri, 06 Sep 2019 12:30:59 +0000https://www.insidegovernmentcontracts.com/?p=8122On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial...… Continue Reading

]]>On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains. In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB. As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.

The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant. DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020. Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding. DoD is seeking feedback on the current version of the model by September 25, 2019.

Overview of the Current CMMC Framework Draft

At its core, the current version of the CMMC framework consists of a matrix, composed of “Domains,” “Capabilities,” and “Practices and Processes.” Domains are comprised of Capabilities, and Capabilities are comprised of Practices and Processes. The model contains 18 different Domains of “key sets of capabilities for cybersecurity,” 14 of which use the same terminology as the security requirement families in NIST Special Publication (SP) 800-171. The model adds Asset Management, Cybersecurity Governance, Recovery, and Situational Awareness to the NIST SP 800-171 security requirement families. The 18 Domains are:

Access Control

Asset Management*

Awareness and Training

Audit and Accountability

Configuration Management

Cybersecurity Governance*

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical Protection

Recovery*

Risk Assessment

Security Assessment

Situational Awareness*

System and Communications Protection

System and Information Integrity

* – Domain is not one of the 14 NIST SP 800-171 security requirement families.

Each Domain lists certain Capabilities, which are “achievements to ensure cybersecurity within each domain.” In total, to achieve the highest level of certification — Level 5 — contractors must comply with more than 80 different individual Capabilities, such as the ability to “detect and report events” and the ability to “implement threat monitoring based on defined requirements.”

Capabilities are comprised of much more detailed “Practices” and “Processes” that contractors must adhere to. Practices are similar to security controls, and DoD has described them as “activities required by level to achieve a capability.” Processes, by contrast, are intended to detail the maturity of the institutionalization of the practices.

Although the NIST SP 800-171 controls are referenced in the model (and “coverage” of all NIST SP 800-171 rev 1 security controls is a requisite for meeting Level 3 certification), many of the practices have been informed by other sources, such as ISO 27001:2013, AIA NAS 9933, and the CERT Resilience Management Model, in addition to best practices gathered from DIB members. Many of requirements, particularly for Level 5 certification, would be new for contractors, and cite to DIB best practices as a source. Noticeably absent are citations to NIST SP 800-171B, which NIST published in draft form in June 2019 with enhanced security requirements designed to protect designated “high value assets” or “critical programs” that contain CUI of interest to advanced persistent threats. Accordingly, there remain questions about how these controls should be interpreted and whether additional guidance for implementation will accompany future versions of the model.

Unlike NIST SP 800-171, which is implemented through a regulation — i.e., DFARS clause 252.204-7012 — DoD plans to implement the requirements of the model on a purely contractual basis. The required CMMC level applicable to a procurement will be listed in the solicitation in sections L and M and will be a “go/no-go decision.”

DoD has stated that the model is still being refined, that practices within the model have not yet been cross-referenced across Domains, and that it anticipates a reduction in size of the model as it is further developed. DoD indicated in the overview briefing accompanying the model that it intends to use independent third party organizations to conduct audits and certify contractors. DoD has released neither the methodology to handle maturity level trade-offs, nor the assessment guidance for these third-party certifiers. Nonetheless, as stated above, DoD plans to have a final version of the CMMC framework released in January 2020, included in RFIs starting in June 2020, and included in RFPs starting in Fall 2020.

Open Questions and Issues for Contractors

The draft CMMC framework provides significant information about the specific requirements that DoD may impose on contractors seeking certain certification thresholds, but leaves open many important questions for contractors.

Implementation Deadlines. The CMMC introduces a significant number of new controls and requirements. Even the most sophisticated of contractors will likely find compliance difficult and the continued maturation of the model will make compliance with DoD’s ambitious deadlines a challenge across the DIB.

Determination of Appropriate CMMC Level for Contracts. The guidance offers no insight into how DoD will determine the CMMC certification level required for each contract solicitation or whether it intends to standardize a process for making such determinations across the Departments or even within requiring activities. Existing FAQs on DoD’s CMMC website only state that “[t]he government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer.”

Allowable Costs. DoD has consistently said that the costs of compliance with the CMMC would be allowable. Presumably these costs would be recovered in contractors’ overhead rates. However, to the extent that commercial item contractors — including many small business — contract with the government on a price basis, the costs of implementation would not be separately reimbursable by the government.

Meeting a Certification Level. The CMMC framework does not provide guidance on how each of the Capabilities within the various Domains are to be weighed against one another, and similarly, how compliance with each of the respective Practices within Capabilities are to be weighed against one another. It is unclear, for example, whether compliance with each Practice or Capability will be given equal weight, whether DoD will assign some relative level of importance to each Practice or Capability, or whether this will be largely left to the discretion of the auditor. Although DoD has stated that “[a] methodology to handle maturity level trade-offs is planned” and that “[d]etailed assessment guidance is still under development,” it is not apparent whether the forthcoming guidance will address any of these points. Nor is it clear the extent to which prior guidance on Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented (i.e., Impact Guidance, which we previously discussed here) may apply to the model.

Audit Determinations. It is not clear what recourse, if any, contractors might have to challenge a CMMC certification determination by an auditor. Although DoD has stated that “[s]ome of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA),” for lower-level assessments, auditors appear to be vested with a great deal of discretion. For example, DoD recognized “the challenges of being 100% compliant with some practices,” and suggested that an “[a]ssessment of process institutionalization helps to mitigate this concern.” However, it is not clear how auditors are expected to balance overall compliance with Practices against efforts that contractors have taken towards process institutionalization (e., Procedures).

Subcontractor Compliance Requirements. DoD has not yet issued any guidance on the certification level required for subcontractors, including whether the prime contractor is responsible for making this determination or if all subcontractors must meet the level assigned to a particular contract regardless of the data that flows to those subcontractors.

Implementation by Policy vs. Regulation. Ordinarily, we would expect these types of requirements for DoD contracts to be addressed through the regulatory process. Making the change through policy allows DoD to implement the requirements more quickly, but does leave open the possibility of divergence among the Departments such as what the DIB has seen over the past year with the unique cybersecurity requirements being issued by the Navy and other Departments.

Protest Considerations. It is not clear whether contractors will have any ability to appeal or successfully protest the CMMC level at which DoD has designated a contract, and if so, whether this will be the only mechanism available to contractors to ensure that agencies give second thought to a particular CMMC level. For example, in the pre-award context, prospective offerors may consider protesting the level assigned to a particular procurement as overly restrictive of competition. Although deference is usually provided to agencies in the area of national security, the viability and success of this and other protest grounds remains to be seen.

As stated above, contractors have until September 25, 2019 to comment on the current version of the model. Given the number of issues outstanding, only some of which are discussed here, interested contractors should offer their comments as early as possible in the process. There is a comment matrix available on the CMMC website, along with instructions for submitting comments.

]]>Section 889 Update: First Wave of Acquisition Prohibitions Take Effecthttps://www.insidegovernmentcontracts.com/2019/09/section-889-update-first-wave-of-acquisition-prohibitions-take-effect/
Tue, 03 Sep 2019 17:50:17 +0000https://www.insidegovernmentcontracts.com/?p=8119The FAR Council released an Interim Rule in August implementing part of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. In this briefing, we highlight points where the Interim Rule provides clarity; definitional issues that remain unresolved; and new procedural requirements that government contractors should track. The Interim...… Continue Reading

]]>The FAR Council released an Interim Rule in August implementing part of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019. In this briefing, we highlight points where the Interim Rule provides clarity; definitional issues that remain unresolved; and new procedural requirements that government contractors should track.

The Interim Rule covers the portion of Section 889, subsection (a)(1)(A), that prohibits the federal government from acquiring certain telecommunications equipment/services from Huawei, ZTE, and other Chinese companies. Specifically: “The head of an executive agency may not … procure or obtain or extend or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”

Section (a)(1)(A) took effect on August 13, 2019, although a 60-day window remains open for stakeholders to submit comments to be considered in the development of a final rule. Comments on the (a)(1)(A) Interim Rule are due by October 15, 2019.

The second part of Section 889 implementation, sections (a)(1)(B) and (b)(1), go into effect on August 13, 2020. Regulations for those sections remain pending within the government, but the definitions and waiver process established by (a)(1)(A) will be instructive for those regulations as well.

Concurrently, all of Section 889 is subject to a legal challenge in U.S. District Court for the Eastern District of Texas. Huawei has sued to invalidate the entire provision, with the most prominent argument that Section 889 is an unconstitutional Bill of Attainder. The case is in a relatively early stage, with another round of briefing due on September 10 and a hearing scheduled for September 19, 2019.

I. Clarifications

As expected, the rule adopts statutory text to define “covered telecommunications equipment or services,” with no changes. It does, however, import an expansive definition of “critical technology,” borrowed from the Foreign Investment Risk Review Modernization Act (“FIRRMA”). The Interim Rule concedes that the definition is overbroad – it includes “select agents and toxins” that are unlikely to apply to telecommunications – but used it in the interest of government-wide consistency as both the changes to the foreign investment review process contained in FIRRMA and Section 889 are being implemented simultaneously. The law applies – as expected – at all dollar values (i.e., below the Simplified Acquisition Threshold) and to purchases of commercial and commercially available off-the-shelf items.

II. Open Questions

“Substantial or essential component” is defined, but broadly and only at a high level: “any component necessary for the proper function or performance of a piece of equipment, system, or service.” Each agency will have to determine which components meet that definition for purposes of compliance. This is an area where seeking additional clarification through the comment period could be important.

“Critical infrastructure” is not defined at all, even though the definition of “covered telecommunications equipment” includes equipment produced by Hytera, Hikvision, or Dahua used for “physical security surveillance of critical infrastructure.” Based on the approach to defining “critical technology,” however, we expect that the government would likely borrow the definition of “critical infrastructure” from FIRRMA: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.”

III. Important New Requirements

The Interim Rule describes two sets of compliance obligations that deserve close attention from current and prospective government contractors.

A. “Representations”

The Interim Rule imposes a two-step certification process that presents serious new risks for government contractors.

First, in connection with work after August 13, and later as part of the System for Award Management profile, contractors will be required to represent whether they sell material or services that include covered telecommunications equipment or services.

Second, if they respond that they do, then they must make separate, detailed, offer-by-offer disclosures in connection with bids for contracts and for task/delivery orders.

This system of certifications meaningfully expands the scope of risk associated with due diligence in acquisitions, and broadens potential exposure to the False Claims Act and other anti-fraud statutes.

The representations could also have a potential upside in terms of justifying an exclusion or waiver. The preamble explains that the information provided in the “representation will assist the Government in appropriately assessing the presence of any covered telecommunications equipment or services that may be present … to determine if the items in question will be used as a substantial or essential component, or to determine if a waiver request may be appropriate.” The head of an executive agency may, on a one-time basis, waive the requirements for section (a)(1)(A) for up to two years if the entity seeking the waiver provides a “compelling justification” for the additional time needed for the entity to implement the requirements under the law.

Entities that seek a waiver will also be required to submit to the head of the executive agency for which they are intending to contract with a “full and complete laydown” of the presences of covered equipment or services in the supply chain and a “phase-out” plan to eliminate those elements from the supply chain. The process for submitting a waiver will be determined by each agency.

B. Reporting Requirements

The Interim Rule creates a severe reporting regime with aggressive deadlines: “In the event the Contractor identifies covered telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance, or the Contractor is notified of such by a subcontractor at any tier or by any other source, the Contractor shall report the information … to the Contracting Officer … [and] in the case of the Department of Defense, the Contractor shall report to the [DIBNET].”

An initial report is due within one business day, with a follow-up report due in 10 business days. The contractor must report any covered equipment/systems/services discovered during contract performance in a fairly high level of detail, and must flow this requirement down to subcontractors.

The “notified” prong of this reporting requirement is broad, and is not qualified by thresholds like “credible” information. Because it captures notification by “any other source,” it is conceivable that the government could impose a constructive notice requirement on contractors, or could take the position that open-source news reporting triggers the reporting requirements.

IV. Applicability Dates

The prohibitions take effect on August 13, 2019, and apply to new solicitations issued on/after that date and any resulting contracts, as well as to contracts that are awarded on/after August 13, 2019, even if the solicitations preceded that date. The Interim Rule requires contracting officers to include the corresponding FAR clause in any future orders under an indefinite delivery (“ID/IQ”) contract, and in any extension of existing contracts or task/delivery orders (including an option).

Contracting officers must also include the representations provision in all solicitations or notices of intent under an existing ID/IQ contract, whenever performance will occur on/after August 13, 2019.

]]>DoD Announces the Cybersecurity Maturity Model Certification (CMMC) Initiativehttps://www.insidegovernmentcontracts.com/2019/07/dod-announces-the-cybersecurity-maturity-model-certification-cmmc-initiative/
Tue, 16 Jul 2019 15:55:42 +0000https://www.insidegovernmentcontracts.com/?p=8076The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain. The Office of the Under Secretary of Defense for Acquisition...… Continue Reading

]]>The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain.

The Office of the Under Secretary of Defense for Acquisition and Sustainment has created a website that provides additional background on the proposed CMMC, including a list of FAQs and details about a CMMC Listening Tour that is intended to solicit feedback from key DIB stakeholders. DoD is planning to release Version 1.0 the CMMC framework in January 2020 and expects to incorporate CMMC requirements in Requests for Proposals (“RFPs”) beginning in June 2020.

The concept of a CMMC framework arose in response to a series of high profile breaches of DoD information. This caused DoD to reevaluate its reliance on the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 as sufficient to thwart the increasing and evolving threat, especially from nation-state actors. Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, is among those leading this effort and addressed DoD’s plans for the CMMC at the May 23, 2019 Georgetown Cybersecurity Law Institute.

Key takeaways from the CMMC website include:

The initial implementation of the CMMC is for DoD only. However, the use of CUI terminology rather than covered defense information (“CDI”), which is used in DFARS 252.204-7012, indicates a potentially broader role for this model beyond DoD.

All companies conducting business with the DoD, including subcontractors, must be certified.

The CMMC is expected to combine relevant portions of various cybersecurity standards, such as NIST SP 800-171, NIST SP 800-53, ISO 270001, and ISO 27032, into one unified standard for cybersecurity. Unlike NIST SP 800-171, which measures a contractor’s compliance with a specified set of controls, the CMMC will more broadly “measure the maturity of a company’s institutionalization of cybersecurity practices and processes.”

The CMMC is expected to designate maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced.” For a given CMMC level, the associated controls and processes, when implemented, are intended to reduce risk against a specific set of cyber threats. Notably, DoD will assess which CMMC level is appropriate for a particular contract and incorporate that level into Sections L and M of the RFP as a “go/no go” evaluative determination. This assessment of appropriate maturity levels on a procurement basis is akin to the Cyber Security Model that the United Kingdom’s Ministry of Defence (“MoD”) currently employs for all MoD contracts.

In general, contractors will be required to be certified by a third-party auditor. The FAQs on the website note that certain “higher level assessments” may be conducted by government assessors, including requiring activity personnel, the Defense Contract Management Agency (“DCMA”), and the Defense Counterintelligence and Security Agency (“DCSA”). The website does not, however, explain what qualifies as a higher level assessment.

How long a certification will remain in effect is still under consideration. Additionally, certification levels of contractors will be made public, though, details of specific findings will not be publicly accessible.

A compromise of a contractor’s systems will not result in automatic loss of certification. However, depending on the circumstances of the compromise, it appears that DoD intends to authorize program managers to require recertification if they believe necessary. It is unclear whether this obligation will be imposed via contract or regulation and what standard will be used to determine that a recertification is necessary.

The cost of certification will be considered an allowable, reimbursable cost. The FAQs state that the costs “will not be prohibitive.”

Impact on Contractors

It is too early to assess the potential impact of the CMMC on contractors. Although details relating to the scope, breadth, and implementation of the CMMC are limited, the framework reflects DoD’s first meaningful attempt to impose a broader assessment regime. It is unclear whether implementation of the CMMC will eliminate the need for DCMA to conduct audits to measure compliance with NIST SP 800-171.

DIB stakeholders will have a number of opportunities to provide feedback. The CMMC Listening Tour is expected to include five outreach events throughout July and August 2019, with more expected before the framework is released in January 2020.

]]>NIST Announces and Seeks Public Comment on 800-171 Update and Related Documentshttps://www.insidegovernmentcontracts.com/2019/06/nist-announces-and-seeks-public-comment-on-800-171-update-and-related-documents/
Thu, 20 Jun 2019 19:44:46 +0000https://www.insidegovernmentcontracts.com/?p=8057On June 19, 2019, the National Institute of Standards and Technology (“NIST”) announced the long-awaited update to Special Publication (“SP”) 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which includes three separate but related documents. First, NIST has announced an update to SP 800-171 Rev. 1, which is referred to as...… Continue Reading

]]>On June 19, 2019, the National Institute of Standards and Technology (“NIST”) announced the long-awaited update to Special Publication (“SP”) 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which includes three separate but related documents.

First, NIST has announced an update to SP 800-171 Rev. 1, which is referred to as SP 800-171 Rev. 2. NIST characterizes the changes in SP 800-171 Rev. 2 as only “minor editorial changes,” including reordering the document and updating the contents of the Appendices. NIST emphasized that there are no changes to the basic or derived security requirements in Rev. 2; in other words, the same 110 total security requirements to ensure the confidentiality of CUI under SP 800-171 Rev. 1 remain unchanged in SP 800-171 Rev. 2. NIST notes, however, that a “comprehensive update” to SP 800-171—including updates to the basic and derived security requirements—“will be forthcoming” in Revision 3; the publication of Revision 3 will follow NIST’s upcoming final draft of SP 800-53, Security and Privacy Controls for Information Systems and Organizations “which will include modified control families, privacy integration, and make other conforming edits that are necessary.”

NIST characterizes the enhanced security requirements in SP 800-171B as providing the foundation for a “new multidimensional, defense-in-depth protection strategy that includes three, mutually supportive and reinforcing components: (1) penetration resistant architecture; (2) damage limiting operations; and (3) designing for cyber resiliency and survivability.” Indeed, NIST specifically recognizes that these requirements are necessary because the basic and derived requirements in SP 800-171 Rev 2, which are currently required by the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “are not designed to address the [advanced persistent threat (“APT”)].” NIST also recognizes that many contractors may require the assistance of third parties to implement these enhanced requirements and that “despite the best protection measures implemented by organizations, the APT may find ways to breach or compromise those primary boundary defenses and deploy malicious code within a defender’s system.”

The enhanced security requirements of SP 800-171B are organized into the same 14 security requirement families as SP 800-171 Rev. 2, although there are no enhanced security requirements associated with four of the 14 families: Audit and Accountability, Maintenance, Media Protection and Physical Protection. There are enhanced security requirements associated with the remaining ten families, with more than a third of the total enhanced security requirements associated with the System and Information Integrity and Risk Assessment families. Each requirement is followed by a “discussion section” that is intended to provide additional information to facilitate the implementation and assessment of the enhanced security requirements.

The Cost Estimate also analyzes the costs associated with the implementation and maintenance of the SP 800-171B requirements, which it characterizes as “typically being an allowable contract cost to the government.” The Cost Estimate identifies Systems and Communication Protection requirement 3.13.4e (“employ physical and logical isolation techniques in the system and security architecture”) as the “primary factor” impacting the cost of implementation. The Cost Estimate further explains that this requirement “generally means isolating the IT environment where critical program capabilities are developed from the IT environment processing other CUI, or developing commercial products.”

Impact on Contractors

Although the ultimate impact of the publication of SP 800-171B is not entirely certain, it is clear that the government intends to impose the enhanced security requirements of SP 800-171B on a contract-by-contract basis when, in the government’s assessment, a contract involves designated high value assets or critical programs that contain CUI of interest to APTs.

Although DoD has stated the requirements will only apply to a very small subset of government contractors, how broadly these requirements will apply remains uncertain. Given the government’s increased focus on protecting its information from cyber threats, it is conceivable that DoD may ultimately impose the enhanced security requirements of SP 800-171B on more than just the 0.05% of contractors that DoD currently projects. In the short term, contractors should assess whether they need outside expertise to meet these requirements and ensure that they are ready to respond to an incident should one occur—for example, not only by ensuring incident response plans are updated, but also by periodically testing the plans with scenarios involving APTs . As NIST notes in SP 800-171B, the Government recognizes that an APT may get through even the best protection measures; nevertheless, in the event of an incident, the Government will judge contractors on how they respond to the incident.

In addition to commenting on the requirements and attempting to shape the final draft appropriately, contractors should now consider their ability to comply with the enhanced security requirements of SP 800-171B because successful implementation of these requirements may take time and require the investment of additional resources. Further, a thorough review of future contracts for inclusion of the enhanced security requirements of SP 800-171B must be added to every contractor’s solicitation review, even where contractors do not believe their contracts are likely to involve designated high value assets or critical programs of interest to APTs.

Finally, although DoD has stated that costs of compliance are “allowable costs,” this does not account for commercial item contractors that do not work on a cost reimbursable basis. Those contractors will need to recover these costs in the prices of their goods and services provided to the government.

Public Comment

NIST is seeking public comment on the initial drafts of SP 800-171 Rev. 2, SP 800-171B, and the Cost Estimate, and, due to an extension announced on July 10, 2019, the public comment period will be open until August 2, 2019. Comments on SP 800-171 Rev. 2 and SP 800-171B can be submitted to NIST via email to sec-cert@nist.gov, while comments on the Cost Estimate can be submitted to the DoD via a Regulations.gov Docket ID DOD-2019-OS-0072. NIST has cautioned that comments on SP 800-171B will be posted without change or redaction to both the Protecting CUI Project and the Regulations.gov Docket ID NIST-2019-0002 and thus, should not include personal or business information commenters do not wish to make public.

]]>On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President For National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.

In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member, Senator Joe Manchin (D-WV), acknowledged industry concerns about the DOD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.

Senator Rounds stated that he “expects [DOD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DOD takes seriously the concerns of the DIB.” He further noted that DOD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain. Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information. Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DOD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”

Summarized below are key points discussed during the hearing:

Clear, Scalable, and Consistent Cybersecurity Policy: Witnesses representing the DIB agreed that the future of the defense industry is dependent on robust cybersecurity and, to that end, expressed the need for DOD to clarify critical aspects of existing policy. For instance, the identification and definition of Controlled Unclassified Information and its subset, Covered Defense Information (“CDI”) was highlighted as an area of concern. DIB witnesses testified that the current definition of CDI in the DFARS Cyber Rule has become very broad. They suggested that DOD collaborate with the DIB to identify critical information so contractors are not protecting mundane data, but focusing on securing truly sensitive information. John Luddy noted that “with limited resources, if [contractors] try to protect everything that is currently considered CDI, we may under-protect the really important things.”

Unified DOD Approach: All of the witnesses emphasized the need for DOD to take a unified approach to cybersecurity that helps to minimize the burden on industry. The industry witnesses were clear that, together with large prime contractors, DOD can help support the middle and lower-tier suppliers to be cyber secure, but clear guidance and programs must first be in place. Currently, DOD has taken an “ad hoc, service-by-service” approach as it works towards developing actionable regulations that has resulted in segmented and overlapping contractor infrastructure, and increased costs. The DIB witnesses commended recent memoranda issued by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, that clarified requirements for contracts overseen by the Defense Contract Management Agency, but they also noted that the memoranda “raised issues that need to be collaboratively assessed.” The witnesses made plain the need for more opportunities to contribute to future standards and guidance by DOD.

Measuring and Certifying Cybersecurity Compliance: The DIB witnesses highlighted the numerous NIST SP 800-171 controls and the need to develop an approach using “real, objective metrics” that helps industry measure their cybersecurity performance against those controls. Defense contractors have been frustrated with the lack of clear metrics for compliance, which has resulted in the perception of DOD’s uneven enforcement of standards. The witnesses urged DOD to adopt a standard interpretation of NIST SP 800-171 as a useful baseline and starting point. They would prefer that DOD “set the bar high and set it once to hold all [companies] accountable, not only to spare companies from the cost, but also the need to adjudicate between different and potentially conflicting direction.”

Information Sharing: The witnesses also drew attention to the need for greater information sharing. One idea raised by the DIB witnesses included the formation of a centralized DOD threat sharing initiative that distributes relevant and timely data to the DIB to bolster cybersecurity efforts. The representatives acknowledged the tension between information sharing that is aimed at identifying and addressing threats and information that is competitive or business sensitive. But, there was a consensus that progress on information sharing has been made within the DIB and that further improvements would be welcome.

Throughout the hearing, members of the Subcommittee and representatives from the DIB seemed to agree that greater collaboration with DOD on contractor cybersecurity issues and supply chain issues would be necessary to address systemic concerns. While there was a broad focus on DFARS requirements and NIST SP 800-171, a number of related issues were raised with the goal of helping businesses prioritize investments and meet DOD’s cybersecurity standards. As the cybersecurity efforts by DOD and the DIB continue, there was consensus during the hearing for a considered approach to partitioning cybersecurity responsibility among DOD, prime contractors, and their subcontractors so that no single entity shoulders the entire burden.

]]>Keeping Up With DoD Cybersecurity Compliance Demandshttps://www.insidegovernmentcontracts.com/2019/03/keeping-up-with-dod-cybersecurity-compliance-demands/
Wed, 20 Mar 2019 13:56:27 +0000https://www.insidegovernmentcontracts.com/?p=7972(This article was originally published in Law360 and has been modified for this blog.) On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1] One intent of this guidance is...… Continue Reading

]]>(This article was originally published in Law360 and has been modified for this blog.)

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1] One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”[2]

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001. Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.[3]

The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.

Applicability

The guidebook provides that if DFARS 252.204-7012 is applicable, the DCMA will evaluate a contractor’s purchasing system to assess:

There are significant issues with both of these requirements. First, the DFARS clause addresses CDI, which is a subset of CUI. Thus, the DCMA appears to be auditing to a standard that is not reflected in the DFARS clause. Indeed, the Department of Defense (DoD) has shown the below chart to industry many times depicting the narrower category of CDI versus CUI:[4]

Second, the Guidebook assumes that “DoD requirements for marking and distribution statements on DoD Controlled Unclassified Information (CUI),” actually exist. The definition and identification of CDI, both from a performance standpoint and now from an audit standpoint, remains one of the primary challenges for DoD and its contractors.

In the December 17, 2018, policy memorandum issued by Assistant Secretary of Defense for Acquisition Kevin Fahey, there was sample contractual language for requiring activities that covered identification and tracking of CDI flowed down to first-tier subcontractors, vendors and suppliers.[5] That sample contractual language, which refers to a post-award conference where the Government and the contractor will “identify and affirm marking requirements” for all CDI and contemplates that the post-award conference will also address restrictions on unnecessary sharing or flow down of CDI, is now appearing in new solicitations.

Although the inclusion of a meeting to address the government’s CDI marking requirements as a solicitation provision is a step in the right direction, by the time a post-award conference occurs, prime contractors will have already entered into teaming agreements and subcontracts with their supply chain without this knowledge. At that point, it may be too late for them to impose additional contractual requirements on their team members. Moving this requirement to a pre-award time period may be a more useful process.

Finally, the Guidebook’s requirement to “assure Tier 1 Level Supplier compliance with DFARS Clause 252.204-7012 and NIST SP 800-171” is new. The DFARS clause provides that contractors must provide adequate security on their own covered defense systems [6] and that contractors must flow down the clause without alteration to subcontractors “if the information required for subcontractor performance retains its identity as covered defense information.”[7]

Indeed, DoD’s own Frequently Asked Questions note that the requirement is to flow down the clause, not to assess compliance. Specifically, DoD’s current guidance is that “[i]f a subcontractor does not agree to comply with the terms of DFARS clause 252.204–7012, then covered defense information shall not be on that subcontractor’s information system.”[8] That obligation is contractual. By auditing whether contractors are “assuring” compliance by their Tier 1 subcontractors, the DCMA guidance exceeds the requirements that currently exists in the DFARS clause.

During the Review

The Guidebook imposes additional significant requirements with regard to flowing down CDI (again, the Guidebook continues to use CUI as the standard rather than CDI). For example, the Guidebook imposes a tracking and assessment requirement. These requirements are reflected in the December 2018 policy memorandum but are not reflected in the DFARS clause. Moreover, the Guidebook goes even further than the DoD December 2018 policy memorandum because it requires contractors to validate that all of their subcontractors’ information systems “can receive and protect CUI.” Specifically, the Guidebook states:

The prime contractor must validate that the subcontractor has a Covered Contractor Information System (CCIS) that can receive and protect CUI. The prime contractor must show documentation that they have determined that the subcontractor has an acceptable CCIS to include an adequate System Security Plan (SSP).

There is no requirement in the clause for prime contractors to assess that a subcontractor’s information systems are “acceptable,” nor is that term defined by DoD. Similarly, there is no requirement in the DFARS clause for contractors to judge the adequacy of a subcontractor’s SSP. Indeed, DoD has told industry that there is no requirement for a third-party assessment of compliance on the part of prime contractors. For example, in the most recent version of the Frequently Asked Questions issued by DoD it states:

Q15 (Q25): Is a 3rd Party assessment of compliance required?

A15: 3rd party assessments or certifications are not required, authorized, or recognized by DoD. By signing the contract, the contractor agrees to comply with the terms of the contract.

In order to safeguard covered defense information, companies with limited cybersecurity expertise may choose to seek outside assistance in determining how best to meet and implement the NIST SP 800-171 requirements in their company. But, once the company has implemented the requirements, there is no need to have a separate entity assess or certify that the company is compliant with NIST SP 800-171.[9]

Although DoD has made it clear that it is relying on self-assessments for its prime contractors, it would now impose an assessment requirement on prime contractors for all of their subcontractors. This is a significant change in position by DoD and does not reconcile the practical impediments to implementation, including that many contractors fill both the prime and subcontractor roles when working with the government.

Finally, the Guidebook reflects two new “tracking” requirements: (1) to track cyber incidents reported by subcontractors, and (2) to track subcontractor security requirement variance requests from NIST SP 800-171 made to the Contracting Officer.

Although the DFARS clause requires subcontractors to report to a prime that a cyber incident has occurred, it is unclear if the Guidebook is imposing additional tracking requirements. Similarly, there is no requirement in the DFARS clause for tracking subcontractor security requirement variance requests, and the Guidebook does not provide any explanation of what is required to meet this standard. Further guidance in these areas would be helpful for contractors.

Impact on Contractors

Just as the threat is evolving, the rules also are changing. Many contractors are becoming overwhelmed with new “guidance” for the DFARS clause. The continually revised guidance reflects that DoD is also struggling with the threats and how best to protect its information.

Nonetheless, contractors should be aware of the new requirements that will likely show up in future contracts or modifications to existing contracts. DCMA and industry may not agree that DCMA’s revised audit guidance is consistent with actual contractor obligations and contractors should have a clear understanding of those requirements that actually fall within the DFARS clause and be careful to scrutinize any modifications and new solicitations for additional changes.

* * *

[1] “Addressing Cybersecurity Oversight as Part of a Contactor’s Purchasing System Review,” Memorandum, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (January 21, 2019), available at https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf.

]]>When Compliance Is Not Enough: OIG Seeks Voluntary Refund Despite Contractor’s Adherence to “TINA” Requirementshttps://www.insidegovernmentcontracts.com/2019/03/when-compliance-is-not-enough-oig-seeks-voluntary-refund-despite-contractors-adherence-to-tina-requirements/
Tue, 12 Mar 2019 02:59:04 +0000https://www.insidegovernmentcontracts.com/?p=7960On February 25, 2019, the Office of Inspector General (“OIG”) for the Department of Defense (“DoD”) issued an audit report analyzing the prices of spare aviation parts purchased by the Defense Logistics Agency (“DLA”) and the Army from TransDigm Group, Inc. (“TransDigm”). The audit was conducted in response to letters from certain Members of Congress,...… Continue Reading

]]>On February 25, 2019, the Office of Inspector General (“OIG”) for the Department of Defense (“DoD”) issued an audit report analyzing the prices of spare aviation parts purchased by the Defense Logistics Agency (“DLA”) and the Army from TransDigm Group, Inc. (“TransDigm”). The audit was conducted in response to letters from certain Members of Congress, who had inquired whether the spare parts were sold at fair and reasonable prices and in compliance with the Truthful Cost or Pricing Data Act (“Act”).[1] The OIG’s audit confirmed that both TransDigm and the responsible DoD contracting officers fully complied with the Act and related regulations governing the price negotiations, but the OIG nonetheless concluded that the contractor earned excess profit on the majority of parts sold. In a highly unusual move, the OIG recommended that DoD request a “voluntary refund” from TransDigm of its allegedly “excessive” profits, and the OIG also recommended a number of changes to statutory, regulatory, and administrative policies governing the provision of cost or pricing data.

The OIG’s Findings

At the request of U.S. Representatives Ro Khanna and Tim Ryan and Senator Elizabeth Warren, the OIG reviewed the price reasonableness of 47 spare aircraft parts DoD procured from TransDigm between January 2015 and January 2017. Using uncertified cost or pricing data that it collected during the audit, the OIG calculated the apparent profit realized by the contractor on the sale of each part, and concluded that the contractor realized “unreasonable” profits (defined as profits of greater than 15% in the report) on all but one of the parts. (The OIG arrived at the 15 percent profit percentage, in part, by looking at maximum profit percentages allowed in the FAR for three different types of contracts, none of which were fixed price.) The OIG applied this finding to a broader sampling of contracts held by TransDigm, and concluded that the contractor had earned $16.1 million in “excess profit” (i.e., profit over 15 percent) for the parts at issue.

The OIG concluded that a number of factors contributed to these supposedly “excessive” profits. First, TransDigm was the only manufacturer for the majority of spare parts, which the OIG stated allowed TransDigm to set the market price for these parts. According to the OIG, this dominant market position prevented contracting officers from relying on historical price analysis or competition to ensure price reasonableness because the price of some parts “appeared to be” excessive at the time the part was first sold to the Government, and because other competitors had to buy their parts from TransDigm before reselling to DLA.

Second, the OIG concluded that “performing a cost analysis using certified or uncertified cost data is the most reliable way to determine whether a price is fair and reasonable,” but the FAR does not require contractors to furnish cost or pricing data in some circumstances, such as when bidding on a smaller value awards or when providing a commercial item. In fact, various statutory and regulatory policies actually discourage contracting officers from requesting uncertified cost data when evaluating price reasonableness. .

Third, in some cases the Government had an urgent need to acquire the parts. Thus, where TransDigm exercised its right not to furnish cost data, some Government officials simply moved forward with the procurement, concluding that the prices were justified under the “other reasonable basis exception.”

Finally, the OIG also waded into the policy arena, expressing concern about recent legislative changes to the Act. Specifically, the FY 2018 National Defense Authorization Act (“NDAA”) raised the threshold for requiring certified cost or pricing data from $750,000 to $2 million. And the FY 2019 NDAA changed the requirements for a waiver for submission of certified cost or pricing data, allowing contracting officers to obtain a waiver when any one of three circumstances apply: (i) the item cannot reasonably be obtained without a waiver, (ii) the price can be determined to be fair and reasonable without submission of certified cost or pricing data, and (iii) there are demonstrated benefits to granting a waiver. Previously, all three conditions had to apply to permit a waiver. The OIG claimed that these legislative changes had the effect of “making it easier for contractors to avoid providing cost data.”

The OIG’s Recommendations

The OIG made a number of recommended changes that it believed DoD should pursue to address the findings of this report. As an initial matter, the OIG also took the very unusual step to request that contracting officials pursue a “voluntary refund” from TransDigm for the supposedly excess profits—an amount totaling approximately $16 million. The OIG recommended this despite finding no actual wrongdoing by TransDigm, and despite its somewhat dubious conclusion that DoD should have procured each item at no more than 15% profit if the contractor only obliged its requests for cost or pricing data.

Additionally, the OIG also announced a number of recommendations directed towards the Principal Director for Defense Pricing and Contracting (“DPC,” formerly known as DPAP). Specifically, the OIG recommended that DPC take the following actions:

Review the United State Code, the FAR, and the DFARS to determine changes needed in the acquisition process for sole-sourced parts to ensure that contracting officers obtain uncertified cost data when requested, including considerations for requesting such data when the purchases are below the thresholds currently established.

Expand existing requirements to mandate reporting by the contracting activity to DPC in all cases where an award is made for parts produced or provided from a sole source and the contractor opts not to provide cost or pricing data.[2]

Establish a framework for quarterly reporting and validation of consolidated information by the DoD components to the DPC Principal Director.

Amend the DFARS and DFARS Procedures, Guidance, and Information (PGI) to implement the enhanced reporting requirements described above.

Create a team of experts to analyze reported data, including the assessment of high risk parts and the identification of lower cost alternatives.

Implications for Contractors

The OIG’s report and recommendations have a range of potential implications and lessons for the defense contractor community—and particularly those that sell specialized spare parts or other items on a sole source basis.

Increased scrutiny and skepticism, even of lawful practices. Defense contractors are well-acquainted with efforts to crack down on fraudulent or wasteful contracting practices. But the OIG’s report represents a material departure from a standard “fraud, waste, and abuse” initiative. Here, the OIG essentially concedes TransDigm’s compliance with applicable laws and regulations, but nonetheless declares that TransDigm reaped “inflated” or “excessive” profits and recommends that TransDigm provide a “voluntary” refund. In this way the OIG’s report borders on a form of public shaming in an effort to claw-back funds that a contractor fairly received by acting within its rights. This puts the contractor (and others like it) in a difficult position, both with regard to treatment of funds secured on these prior sales, and future business with DoD.

Don’t be afraid (or ashamed) of profit. The OIG report appears to presume that contractors must inevitably accept low profit margins on government contracts. This is not the case. The FAR explicitly recognizes that profit serves a useful purpose in appropriately incentivizing contractors:

Both the Government and contractors should be concerned with profit as a motivator of efficient and effective contract performance. Negotiations aimed merely at reducing prices by reducing profit, without proper recognition of the function of profit, are not in the Government’s interest. Negotiation of extremely low profits, use of historical averages, or automatic application of predetermined percentages to total estimated costs do not provide proper motivation for optimum contract performance.[3]

Thus, profit calculations must consider the unique circumstances of the contract at issue. Although there are statutory limits on profits for certain types of cost-plus-fixed-fee contracts, those limits do not appear applicable to the contracts at issue here.[4]

Help out your contracting officer—but know your rights. The FAR identifies a number of data points that a contracting officer can rely upon to confirm that a proposed price is fair and reasonable (e.g., historical prices, quotes from competitors, an independent government estimate, market research, etc.), and contractors can look for opportunities to assist contracting officers in compiling this data. At the same time, however, it is critical for contractors to understand the full scope of their rights and obligations related to the provision of cost data, including those circumstances in which they have no obligation to share such data. The OIG report suggests that collecting uncertified cost data is the most effective way of ensuring price reasonableness, but as the report itself acknowledges, that does not mean that contractors are required to furnish such data. If such a requirement is adopted, then some contractors—especially in the commercial item area—may simply opt to leave the government market altogether rather than invest in the systems necessary to provide accurate cost or pricing data (whether certified or not).

There is more to come. The OIG has made a number of recommendations that, if implemented, could significantly alter the price negotiation process for defense contractors—particularly those that produce or sell items on a sole-source basis Additionally, the FY18 NDAA directed the Government Accountability Office (“GAO”) to conduct “a study of Department of Defense and Defense Logistics Agency processes for purchasing noncompetitive spare parts and make recommendations for how to improve transparency and reporting in this area.” This report undoubtedly will generate additional interest and scrutiny upon its release, and defense contractors would be well-advised to closely monitor policy and regulatory developments that follow.

[1] This Act was historically known (and is still commonly referred to) as the “Truth in Negotiations Act” or “TINA.” See 41 U.S.C. chapter 35; FAR 1.110.

[2] The existing reporting requirements, set forth in a 2007 DPAP memorandum, require reporting only where an award is approved despite the contractor’s denial of cost data “because of an exigent situation.”

]]>DoD Continues to Up the Ante on Cybersecurity Compliance for Contractorshttps://www.insidegovernmentcontracts.com/2019/01/dod-continues-ante-cybersecurity-compliance-contractors/
Tue, 29 Jan 2019 14:44:51 +0000https://www.insidegovernmentcontracts.com/?p=7920Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts. Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s...… Continue Reading

]]>Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts. Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements. This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks. And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems. Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171. Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.

Fahey Memorandum

On December 17, 2018, Kevin Fahey (Assistant Secretary of Defense for Acquisition) issued a memorandum, which provides contractual language that requiring activities can use in conjunction with the November 6th guidance. This language addresses (i) access to and delivery of contractors’ and subcontractors’ SSPs (or extracts thereof), (ii) access to and delivery of a contractor’s plan to track flow down of CDI to subcontractors and restriction on unnecessary sharing/flow down of CDI and (iii) the requirement for a prime contractor to flow down (ii) and (iii) to its first-tier subcontractors. The added language is necessary because these requirements are not explicitly reflected in DFARS 252.204-7012.

One of the contractual excerpts addresses the submission of SSPs and Plans of Action and Milestones (POA&M). Although NIST SP 800-171 does address the production of the prime’s SSP to the government, the DFARS cyber clause does not explicitly require it and it was not until the November 6th guidance that DoD indicated it would require delivery of subcontractors’ SSPs and POA&Ms.[1] Potentially problematic in the new contractual language is the requirement for the prime to ensure government access to the SSP and POA&Ms of its first- and second-tier subcontractors, vendors and suppliers, given the sensitivity of this information and the competitive nature of the defense industry. Contractors will need to ensure that their subcontract, vendor and supplier forms cover this requirement.

The second excerpt covers the identification and tracking of CDI flowed down to first-tier subcontractors, vendors and suppliers. This language anticipates a “post-award” conference where the Government and contractor will “identify and affirm marking requirements for all covered defense information.” The language also contemplates that the post-award conference will address restrictions on unnecessary sharing or flow down of CDI. There is a requirement for contractors to track all CDI and “document, maintain, and provide to the Government, a record of tier 1 level subcontractors, vendors, and/or suppliers who will receive or develop covered defense information” in performance of the subcontract. Each of these requirements must be flowed down to first-tier subcontractors, vendors and suppliers. Given the broad use of “subcontractor, vendor and supplier,” it seems clear that DoD’s focus is on any entity to whom CDI is provided in the performance of a DoD contract, regardless of whether that entity is defined as a subcontractor subject to the myriad of other procurement requirements. DoD is plainly concerned with the CDI being passed along and DoD’s requirements for protecting that information from improper disclosure. Again, the tracking and documentation requirements are beyond the current DFARS cyber clause requirements and contractor agreements with relevant subcontractors, vendors and suppliers should be reviewed to confirm compliance in anticipation of this new requirement.

Lord Memo

On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system. Much like the DoD IG audits that many contractors have been subject to in the past few months, the intent of this guidance is to have DCMA “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.” However, the memorandum states that this would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001. Because the need for a contractor purchasing system review is triggered when sales to the government are expected to exceed $25 million during the next twelve months (excluding certain firm fixed priced contracts and contracts for commercial items), it is unclear how contractors outside these parameters will be reviewed.

The DCMA review is focused on contractor oversight of its first-tier subcontractors. Pursuant to the memorandum, DCMA review will include the following:

Notably, there is no specific requirement in the DFARS cyber clause for documented procedures to flow down CDI to first-tier subcontractors. Nor is there any explicit requirement to assess compliance of first-tier subcontractors with the DFARS cyber clause. These requirements, however, will ostensibly be imposed by the new contractual language that appeared in the December 17 Fahey memorandum.

Impact on Contractors

DoD’s evolving cybersecurity requirements present new challenges to contractors that are still working to fully implement all 110 controls in NIST SP 800-171. Although DoD will rightfully note that the DFARS cyber clause requires contractors to provide “adequate security” and that compliance with NIST SP 800-171 is the minimum requirement, the reality is that the ever-changing approach and the use of guidance issued in a piecemeal fashion has the potential to cause more confusion rather than less. Contractors will need to update their subcontract forms and develop an approach for meeting these requirements, as they are likely to begin appearing in solicitations and DCMA will be expanding its review of contractor purchasing systems with the above requirements.

[2] Neither the November 6th guidance nor the January 21 Lord memorandum define “Tier 1 Level Supplier,” but from the context of the December 17 Fahey memorandum it appears that DoD intends it to be interpreted broadly to include first-tier subcontractors, vendors and other suppliers.

]]>Surviving the Shutdown: Seven Things Contractors Should Consider If a Cost Overrun Is on the Horizonhttps://www.insidegovernmentcontracts.com/2019/01/surviving-the-shutdown-seven-things-contractors-should-consider-if-a-cost-overrun-is-on-the-horizon/
Wed, 23 Jan 2019 21:52:14 +0000https://www.insidegovernmentcontracts.com/?p=7910The U.S. Government shutdown is now the longest in U.S. history and is starting to have serious implications for Government contractors. One of many key concerns arises when contractors approach their contract funding ceiling — can they continue to work, and what happens if there is a cost overrun?[1] The answers are often complicated for both...… Continue Reading

]]>The U.S. Government shutdown is now the longest in U.S. history and is starting to have serious implications for Government contractors. One of many key concerns arises when contractors approach their contract funding ceiling — can they continue to work, and what happens if there is a cost overrun?[1]

The answers are often complicated for both contractors and agency officials, and depend on the terms of the contract and the statutory basis for the program. Contractors facing this situation should keep seven points in mind.

(1) Agencies usually are not required to pay contractors for work in excess of the cost ceiling, even if the agency later allots additional funding

Most cost-type contracts limit the Government’s obligation to pay contractors in excess of the total funding allotted to a contract. E.g., FAR 52.232-20(d)(1); FAR 52.232-22(f)(1). Contractors may wonder whether they can continue working during the shutdown, assuming that the Government will add funding once the shutdown ends. Although there may be circumstances where that strategy is sensible, contractors subject to these limitations who take that approach will be at risk of not receiving payment for costs incurred in excess of the obligated amount, even if the agency later allots funding to the contract.

Depending on the language of a particular contract, contracting officers may have discretion to fund an overrun retroactively. E.g., FAR 52.232-20(f); FAR 52.232-22(i). A variety of factors may be relevant to determining whether a contracting officer could or would do so, and contractors should carefully evaluate the circumstances before deciding whether to proceed.

Contractors with multi-year or umbrella indefinite-delivery/indefinite-quantity (“IDIQ”) contracts should also consider whether their funding is limited on a yearly or task-order basis. See Interlmage, Inc. v. United States, 133 Fed. Cl. 355, 369 (2017) (funding ceiling set by order); Boeing Co., ASBCA No. 57409, 14-1 BCA ¶ 35474 (funding ceiling set by base IDIQ contract); FAR 52.232-19 (limiting funding to a tailored time frame in the contract). Depending on a contract’s terms, funding limitations may be tied to specific time frames or task orders, or constrained on some other basis. Filling orders outside of those constraints may jeopardize the ability to be reimbursed.

(2) Notify the agency before you reach the ceiling

Before reaching the contract ceiling on obligated funds, contractors are required to notify the agency. Outreach to the contracting officer may not only help to avoid surprises, but may allow the agency to develop a funding solution.

However, providing such notice in an informal manner may not be sufficient. Many federal contracts require the contractor to notify the agency “in writing whenever it has reason to believe that the costs it expects to incur under this contract in the next 60 days, when added to all costs previously incurred, will exceed 75 percent” of the total amount allotted to the contract. FAR 52.232-22(c); see also FAR 52.232-20(b). Contractors may also be required to notify the agency of “the estimated amount of additional funds, if any, required to continue timely performance[.]” FAR 52.232-22(d). Because contracting officers may be furloughed during the shutdown, contractors may find it particularly difficult to provide this notice, however, that does not excuse compliance.

In turn, contracting officers are required to address a potential cost overrun “upon learning” that the contractor is approaching the limitation on funding. FAR 32.704(a)(1); FAR 52.232-20(d); FAR 52.232-22(f)(2). Contracting officers should state “in writing” whether the agency will increase funds, terminate the contract, or take some other action to address the issue. FAR 32.704(a)(1)(i)-(iv); see also HTC Indus., Inc. v. Aspin, 22 F.3d 1103 (Table), 1994 WL 66091, at *2-4 (Fed. Cir. 1994) (holding contractor not entitled to costs in excess of ceiling, despite agency’s failure to respond under FAR 32.704(a)(1)).

(3) Contractors normally have the right to stop work once funding ceases

Just as agencies may not be required to pay for work in excess of allotted funds, contractors are normally not required to do such work.

Standard FAR clauses provide that contractors are “not obligated to continue performance” of work until the contracting officer (i) increases the allotted funding and (ii) notifies the contractor of the increase in writing. FAR 52.232-20(d)(2); FAR 52.232-22(f)(2).

In other words, contractors generally have a unilateral right to stop work once funding is exhausted. Although that may be little comfort to a contractor that seeks to continue working, these rules can protect contractors from Government demands for additional work or claims for breach of contract. SeeTitan Corp. v. West, 129 F.3d 1479, 1480 (Fed. Cir. 1997) (explaining the policy justifications for these provisions).

It is essential that contractors receive a notice from the contracting officer — and not anyone else — adding funds before continuing work; that is because “[n]o notice, communication, or representation in any form other than that specified” from “any person other than the Contracting Officer” can bind the Government to additional funding. FAR 52.232-20(e); FAR 52.232-22(h).

(4) Agencies should not encourage unfunded work

Not only are agencies restricted from paying for work in excess of a ceiling, they are also restricted from accepting voluntary work under the Antideficiency Act (“ADA”) — a 19th century statute that prohibits federal employees from incurring unfunded obligations. 31 U.S.C. § 1341; 31 U.S.C. § 1342.

Agencies should not encourage or accept contractor work in excess of obligated funding: “Government personnel encouraging a contractor to continue work in the absence of funds will incur a violation of” the ADA. FAR 32.704(c) (emphasis added). Indeed, a federal Government official who violates the ADA is subject to criminal sanction. 31 U.S.C. § 1350 (“An officer or employee of the United States Government or of the District of Columbia government knowingly and willfully violating section 1341(a) or 1342 of this title shall be fined not more than $5,000, imprisoned for not more than 2 years, or both.”).

(5) If an agency is considering termination for convenience, take care to ensure that termination expenses are funded

In some cases, agencies may be forced to terminate a contract for convenience based on a lack funding, or elect a termination for convenience rather than obligating additional funding. While a convenience termination normally allows a contractor to be made whole for its incurred costs, terminations under such circumstances can put the contractor at risk; termination expenses — like all other expenses — require sufficient appropriations. E.g., Principles of Federal Appropriations Law, 3d., Vol. 2, Ch. 6, General Accountability Office (Mar. 2015) (citing Aerolease Long Beach v. United States, 31 Fed. Cl. 342, 363 (1994) (agency properly considered termination costs as current obligations)). Contractors should be mindful of this rule when tracking costs and should be aware of potential termination costs for purposes of providing the Government with the notices described above.

(6) If you do experience a cost overrun, there may be options for obtaining payment

Despite these standard rules, and in the event that an unexpected overrun does occur, the Courts and Boards of Contract Appeals have recognized several circumstances in which a contractor might be compensated for work beyond a cost ceiling.

In one line of cases, Courts have found that if an agency knew of a cost overrun but took specific actions intending to induce a contractor’s performance, then the agency may be equitably estopped from denying payment. E.g., American Elec. Labs., Inc. v. United States, 774 F.2d 1110, 1113 (Fed. Cir. 1985) (finding contractor entitled to payment when it was “reassured repeatedly” by agency officials that funding was available).

In a related line of cases, contractors may be excused from requirements to provide notice in advance of a cost overrun, if the agency was not prejudiced by a lack of notice. E.g., Johnson Controls World Servs., Inc. v. United States, 48 Fed. Cl. 479, 487 (2001).

Unfortunately, these exceptions are based on unexpected events, and thus it may be difficult for a contractor to evaluate their applicability until a problem has arisen.

(7) Contractors should identify and document added costs incurred due to the shutdown

If properly documented, contractors may be able to recover reasonable and allowable costs incurred because of the shutdown. One approach for recovery applies when the contracting officer issues a written “stop-work order” under the Stop-Work Order clause found at FAR 52.242-15. If a contractor receives a notice to cease performance, the contractor may be able to argue successfully that it should be treated in the same manner as a formal stop-work notice issued under the FAR clause, even if it was not titled in that manner.

Absent recovery under the Stop-Work Order clause, contractors may be able to proceed under the Government Delay of Work clause (FAR 52.242-17), which allows for adjustments in contract price or delivery schedule if the actions of the contracting officer in the administration of the contract are “not expressly or impliedly authorized” by the contract. One point to remember is that contractors will not be permitted to recover lost profit under this clause. The cost reimbursement Changes clause (FAR 52.243-2) also may provide a basis for recovery for a stop in work depending on the costs and facts of the stoppage.

In each instance, if the work stoppage was communicated orally, the contractor’s ability to recover is enhanced if the contractor documents that direction in writing and confirms it with the Government. Contractors should also be mindful of any applicable timing requirements. Although all of these approaches face challenges, the tracking of costs is the important first step.

Finally, even if a contractor takes all the precautionary steps outlines above, proceeding without funding will pose one additional risk. In any dispute for costs stemming from the shutdown, the Government may assert that its acts are covered by the sovereign acts doctrine, which shields the Government from liability for certain conduct made in the exercise of its sovereign power. The Government asserted such a defense in Raytheon STX Corp. v. Dep’t of Commerce, GSBCA No. 14296-COM, 00-1 BCA ¶ 30632. While under the particular circumstances of that case the board held that the sovereign acts doctrine did not bar recovery against the Government for costs arising from a partial shutdown, it is not certain that the result would be the same for all contractors in this current situation.

[1] This article focuses on only one of the numerous challenges contractors potentially face related to the Government shutdown. For example, the shutdown may cause complications related to progress payments, agency reviews or required agency consents, among other issues, leading to program delays and cash flow difficulties affecting employee retention and payment of subcontractors.